Skip to main content
SpringerLink
Log in
Book cover

Annual International Cryptology Conference

CRYPTO 2022: Advances in Cryptology – CRYPTO 2022 pp 784–813Cite as

A More Complete Analysis of the Signal Double Ratchet Algorithm

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13507))

Abstract

Seminal works by Cohn-Gordon, Cremers, Dowling, Garratt, and Stebila [EuroS &P 2017] and Alwen, Coretti and Dodis [EUROCRYPT 2019] provided the first formal frameworks for studying the widely-used Signal Double Ratchet (\(\textsf{DR}\) for short) algorithm.

In this work, we develop a new Universally Composable (UC) definition \(\mathcal {F}_{\textsf{DR}}\) that we show is provably achieved by the \(\textsf{DR}\) protocol. Our definition captures not only the security and correctness guarantees of the \(\textsf{DR}\) already identified in the prior state-of-the-art analyses of Cohn-Gordon et al. and Alwen et al., but also more guarantees that are absent from one or both of these works. In particular, we construct six different modified versions of the \(\textsf{DR}\) protocol, all of which are insecure according to our definition \(\mathcal {F}_{\textsf{DR}}\), but remain secure according to one (or both) of their definitions. For example, our definition is the first to fully capture CCA-style attacks possible immediately after a compromise—attacks that, as we show, the \(\textsf{DR}\) protocol provably resists, but were not fully captured by prior definitions.

We additionally show that multiple compromises of a party in a short time interval, which the \(\textsf{DR}\) is expected to be able to withstand, as we understand from its whitepaper, nonetheless introduce a new non-trivial (albeit minor) weakness of the \(\textsf{DR}\). Since the definitions in the literature (including our \(\mathcal {F}_{\textsf{DR}}\) above) do not capture security against this more nuanced scenario, we define a new stronger definition \(\mathcal {F}_{\textsf{TR}}\) that does.

Finally, we provide a minimalistic modification to the \(\textsf{DR}\) (that we call the \(\text {Triple Ratchet}\), or \(\textsf{TR}\) for short) and show that the resulting protocol securely realizes the stronger functionality \(\mathcal {F}_{\textsf{TR}}\). Remarkably, the modification incurs no additional communication cost and virtually no additional computational cost. We also show that these techniques can be used to improve communication costs in other scenarios, e.g. practical Updatable Public Key Encryption schemes and the re-randomized TreeKEM protocol of Alwen et al. [CRYPTO 2020] for Secure Group Messaging.

The full version [8] is available as entry 2022/355 in the IACR eprint archive.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    We do not provide CKA schemes secure according to our definitions based on LWE or generic KEMs, as in ACD. However, we note that our stronger scheme \(\textsf{CKA}^{+}\) is intuitively at least as strong as their construction from generic KEMs, but more efficient.

References

  1. Abdalla, M., Bellare, M., Rogaway, P.: The Oracle Diffie-Hellman assumptions and an analysis of DHIES. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 143–158. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_12

    Chapter  Google Scholar 

  2. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the Signal protocol. Cryptology ePrint Archive, Report 2018/1037 (2018). https://eprint.iacr.org/2018/1037

  3. Alwen, J., Coretti, S., Dodis, Y.: The double ratchet: security notions, proofs, and modularization for the signal protocol. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part I. LNCS, vol. 11476, pp. 129–158. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_5

    Chapter  Google Scholar 

  4. Alwen, J., Coretti, S., Dodis, Y., Tselekounis, Y.: Security analysis and improvements for the IETF MLS standard for group messaging. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 248–277. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_9

    Chapter  Google Scholar 

  5. Balli, F., Rösler, P., Vaudenay, S.: Determining the core primitive for optimally secure ratcheting. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020, Part III. LNCS, vol. 12493, pp. 621–650. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64840-4_21

    Chapter  Google Scholar 

  6. Bao, F., Deng, R.H., Zhu, H.: Variations of diffie-hellman problem. In: ICICS (2003)

    Google Scholar 

  7. Bellare, M., Singh, A.C., Jaeger, J., Nyayapati, M., Stepanovs, I.: Ratcheted encryption and key exchange: the security of messaging. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 619–650. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_21

    Chapter  Google Scholar 

  8. Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Srinivasan, R.: A more complete analysis of the signal double ratchet algorithm. Cryptology ePrint Archive, Report 2022/355 (2022)

    Google Scholar 

  9. Bitansky, N., Canetti, R., Halevi, S.: Leakage-tolerant interactive protocols. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 266–284. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_15

    Chapter  Google Scholar 

  10. Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, pp. 77–84 (2004)

    Google Scholar 

  11. Brendel, J., Fiedler, R., Günther, F., Janson, C., Stebila, D.: Post-quantum asynchronous deniable key exchange and the signal handshake. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) Public-Key Cryptography - PKC 2022, pp. 3–34. Springer International Publishing, Cham (2022)

    Chapter  Google Scholar 

  12. Brendel, J., Fischlin, M., Günther, F., Janson, C.: PRF-ODH: relations, instantiations, and impossibility results. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part III. LNCS, vol. 10403, pp. 651–681. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_22

    Chapter  Google Scholar 

  13. Brendel, J., Fischlin, M., Günther, F., Janson, C., Stebila, D.: Towards post-quantum security for signal’s x3dh handshake. In: Selected Areas in Cryptography-SAC 2020 (2020)

    Google Scholar 

  14. Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, Las Vegas, 14–17 October 2001

    Google Scholar 

  15. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_13

    Chapter  Google Scholar 

  16. Canetti, R., Jain, P., Swanberg, M., Varia, M.: Universally composable end-to-end secure messaging. In: CRYPTO 2022 (2022)

    Google Scholar 

  17. Checkoway, S., et al.: On the practical exploitability of dual EC in TLS implementations. In: Fu, K., Jung, J. (eds.) USENIX Security 2014, pp. 319–335. USENIX Association, San Diego, CA, USA, 20–22 August 2014

    Google Scholar 

  18. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. In: 2017 IEEE European Symposium on Security and Privacy, EuroS &P 2017, Paris, France, April 26–28, 2017, pp. 451–466. IEEE (2017). https://doi.org/10.1109/EuroSP.2017.27

  19. Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. J. Cryptol. 33(4), 1914–1983 (2020). https://doi.org/10.1007/s00145-020-09360-1

  20. Cohn-Gordon, K., Cremers, C.J.F., Garratt, L.: On post-compromise security. In: Hicks, M., Köpf, B. (eds.) CSF 2016 Computer Security Foundations Symposium, pp. 164–178. IEEE Computer Society Press, Lisbon, Portugal, June 27–1 2016

    Google Scholar 

  21. Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)

    Article  MathSciNet  Google Scholar 

  22. Dobson, S., Galbraith, S.D.: Post-quantum signal key agreement with sidh. Cryptology ePrint Archive, Report 2021/1187 (2021)

    Google Scholar 

  23. Dodis, Y., Karthikeyan, H., Wichs, D.: Updatable public key encryption in the standard model (2021)

    Google Scholar 

  24. Durak, F.B., Vaudenay, S.: Breaking the FF3 format-preserving encryption standard over small domains. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 679–707. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_23

    Chapter  Google Scholar 

  25. Durak, F.B., Vaudenay, S.: Bidirectional asynchronous ratcheted key agreement with linear complexity. In: Attrapadung, N., Yagi, T. (eds.) IWSEC 2019. LNCS, vol. 11689, pp. 343–362. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26834-3_20

    Chapter  Google Scholar 

  26. FIPS, P.: 180–1. secure hash standard. National Institute of Standards and Technology 17, 45 (1995)

    Google Scholar 

  27. Galbraith, S.D.: Mathematics of Public Key Cryptography. Cambridge University Press, Cambridge (2012)

    Google Scholar 

  28. Goldreich, O.: The Foundations of Cryptography - Volume 2: Basic Applications. Cambridge University Press (2004). http://www.wisdom.weizmann.ac.il/%7Eoded/foc-vol2.html

  29. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989). https://doi.org/10.1137/0218012

  30. Hashimoto, K., Katsumata, S., Kwiatkowski, K., Prest, T.: An efficient and generic construction for signal’s handshake (x3dh): post-quantum, state leakage secure, and deniable. In: Public Key Cryptography (2), pp. 410–440 (2021)

    Google Scholar 

  31. Heninger, N., Durumeric, Z., Wustrow, E., Halderman, J.A.: Mining your PS and QS: detection of widespread weak keys in network devices. In: Kohno, T. (ed.) USENIX Security 2012, pp. 205–220. USENIX Association, Bellevue, WA, USA, 8–10 August 2012

    Google Scholar 

  32. Jaeger, J., Stepanovs, I.: Optimal channel security against fine-grained state compromise: the safety of messaging. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_2

    Chapter  Google Scholar 

  33. Jost, D., Maurer, U.: Overcoming impossibility results in composable security using interval-wise guarantees. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part I. LNCS, vol. 12170, pp. 33–62. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_2

    Chapter  Google Scholar 

  34. Jost, D., Maurer, U., Mularczyk, M.: Efficient ratcheting: almost-optimal guarantees for secure messaging. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 159–188. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_6

    Chapter  Google Scholar 

  35. Jost, D., Maurer, U., Mularczyk, M.: A unified and composable take on ratcheting. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 180–210. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_7

    Chapter  Google Scholar 

  36. Kiltz, E.: A Tool box of cryptographic functions related to the Diffie-Hellman function. In: Rangan, C.P., Ding, C. (eds.) INDOCRYPT 2001. LNCS, vol. 2247, pp. 339–349. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45311-3_32

    Chapter  Google Scholar 

  37. Kobeissi, N., Bhargavan, K., Blanchet, B.: Automated verification for secure messaging protocols and their implementations: A symbolic and computational approach. In: 2017 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 435–450 (2017)

    Google Scholar 

  38. Krawczyk, H., Eronen, P.: Hmac-based extract-and-expand key derivation function (hkdf). Technical report, RFC 5869, May 2010

    Google Scholar 

  39. Kurosawa, K., Matsuo, T.: How to remove MAC from DHIES. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 236–247. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_21

    Chapter  Google Scholar 

  40. Marlinspike, M., Perrin, T.: The Double Ratchet Algorithm (11 2016). https://whispersystems.org/docs/specifications/doubleratchet/doubleratchet.pdf

  41. Marlinspike, M., Perrin, T.: The X3DH Key Agreement Protocol (11 2016). https://signal.org/docs/specifications/x3dh/x3dh.pdf

  42. Maurer, U.: Constructive cryptography – a new paradigm for security definitions and proofs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 33–56. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_3

    Chapter  MATH  Google Scholar 

  43. Maurer, U.M., Wolf, S.: Diffie-Hellman Oracles. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 268–282. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_21

    Chapter  Google Scholar 

  44. Nielsen, J.B.: Separating random Oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_8

    Chapter  Google Scholar 

  45. Poettering, B., Rösler, P.: Towards bidirectional ratcheted key exchange. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 3–32. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_1

    Chapter  Google Scholar 

  46. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18

    Chapter  Google Scholar 

  47. Sipser, M.: Introduction to the theory of computation. PWS Publishing Company (1997)

    Google Scholar 

  48. Unger, N., Goldberg, I.: Deniable key exchanges for secure messaging. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 1211–1223. ACM Press, Denver, CO, USA, 12–16 October 2015

    Google Scholar 

  49. Unger, N., Goldberg, I.: Improved strongly deniable authenticated key exchanges for secure messaging. Proc. Priv. Enhancing Technol. 2018(1), 21–66 (2018)

    Article  Google Scholar 

  50. Vatandas, N., Gennaro, R., Ithurburn, B., Krawczyk, H.: On the cryptographic deniability of the signal protocol. In: Conti, M., Zhou, J., Casalicchio, E., Spognardi, A. (eds.) ACNS 2020. LNCS, vol. 12147, pp. 188–209. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57878-7_10

    Chapter  Google Scholar 

  51. Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 debian openssl vulnerability. In: Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement, IMC 2009, pp. 15–27. Association for Computing Machinery, New York (2009). https://doi.org/10.1145/1644893.1644896

Download references

Acknowledgements

We would like to thank Yevgeniy Dodis and Daniel Jost for helping us realize that the trick used in the \(\textsf{CKA}^{+}\) construction can also be used to make UPKE more efficient (Appendix F).

This research is supported in part by DARPA under Agreement No. HR00112020026, AFOSR Award FA9550-19-1-0200, NSF CNS Award 1936826, and research grants by the Sloan Foundation, and Visa Inc. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.

Author information

Authors and Affiliations

  1. New York University, New York, USA

    Alexander Bienstock

  2. UC Berkeley, Berkeley, USA

    Jaiden Fairoze & Sanjam Garg

  3. NTT Research, Sunnyvale, USA

    Sanjam Garg

  4. Swirlds Labs, Dallas, USA

    Pratyay Mukherjee

  5. Visa Research, Palo Alto, USA

    Srinivasan Raghuraman

Authors
  1. Alexander Bienstock
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jaiden Fairoze
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sanjam Garg
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pratyay Mukherjee
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Srinivasan Raghuraman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexander Bienstock .

Editor information

Editors and Affiliations

  1. New York University, New York, NY, USA

    Yevgeniy Dodis

  2. University of Florida, Gainesville, FL, USA

    Thomas Shrimpton

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 843 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Bienstock, A., Fairoze, J., Garg, S., Mukherjee, P., Raghuraman, S. (2022). A More Complete Analysis of the Signal Double Ratchet Algorithm. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13507. Springer, Cham. https://doi.org/10.1007/978-3-031-15802-5_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15802-5_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15801-8

  • Online ISBN: 978-3-031-15802-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation